Home PageSimple Log ServiceUser GuideData collectionBest practicesUse Logtail to collect logsCollect logs whose timestamps are accurate to the nanosecond
Search for Help Content

Collect logs whose timestamps are accurate to the nanosecond

Updated at: 2024-06-03 02:00
Product
Community

This topic describes how to effectively extract and process timestamps that are accurate to the nanosecond when you collect logs by using Logtail. This ensures that Simple Log Service can accurately capture the high-precision time values of raw logs.

Scenarios

In some business scenarios, high-precision time values, such as millisecond or higher, are required. For example, high-precision time values are required to preserve the order of logs for specific submodules. In this case, time values with millisecond precision are displayed in logs. This requires the log analysis platform to provide the capabilities to store, query, and analyze high-precision timestamps.

When you collect logs by using Logtail, you can extract timestamps that are accurate to the nanosecond. You are no longer limited by the Simple Log Service storage model that supports only timestamps with second precision.

Prerequisites

  • A project and a Logstore are created. For more information, see Manage a project and Manage a Logstore.

  • Logtail is installed on your server. A machine group that contains the server is created.

    Note

    • For more information about how to install Logtail on an Elastic Compute Service (ECS) instance, see Install Logtail on ECS instances.

    • If your server is an ECS instance that belongs to a different Alibaba Cloud account from Simple Log Service, a server in a data center, or a server from a third-party cloud service provider, you must manually install Logtail on the server. For more information, see Install Logtail on a Linux server. After you manually install Logtail, you must configure a user identifier for the server. For more information, see Configure a user identifier.

    • You can extract time values that are accurate to the nanosecond by using Linux Logtail V1.8.0 or later.

Collection from files

Use native plug-ins to parse logs
Use extended plug-ins to extract log time in a time format that is supported by strptime
Use extended plug-ins to extract log time in a time format that is supported by Go

Sample raw log:

2023.11.06-15.12.12.123456,10.10.*.*,"POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",200,18204,aliyun-sdk-java

  1. In the Logtail Configuration step of the wizard, click Other Global Configurations. In the Other Global Configurations section, turn on Advanced Parameters. In the Advanced Parameters field, enter { "EnableTimestampNanosecond": true}.

    For more information about how to collect logs, see Collect text logs from servers.

    image

  2. Add the Data Parsing (Delimiter Mode) plug-in. For more information, see Parsing in delimiter mode.

    image

  3. Add the Time Parsing plug-in. For more information, see Time parsing.

    You must configure a time format for the Time Parsing plug-in. For example, if the time field that is parsed by the Data Parsing (Delimiter Mode) plug-in from the raw log is 2023.10.26-20.58.12.123456, you must set the time format to %Y.%m.%d-%H.%M.%S.%f. %f indicates the fractional part of the second. The highest precision that is supported by the Time Parsing plug-in is the nanosecond. You must configure a time format that is consistent with the time format of the raw log. If the formats are inconsistent, the timestamp that is accurate to the nanosecond cannot be parsed. For more information, see FAQ. For more information about time formats, see Time formats.

    image

  4. View the parsing results in the Simple Log Service console. After you configure indexes, you can view the parsed timestamp that is accurate to the nanosecond. For more information, see Create indexes.

    image

Sample raw log:

{
  "asctime": "2023-10-25 23:51:10,199999999",
  "filename": "generate_data.py",
  "levelname": "INFO",
  "lineno": 51,
  "module": "generate_data",
  "message": "{\"no\": 14, \"inner_loop\": 166, \"loop\": 27451, \"uuid\": \"9be98c29-22c7-40a1-b7ed-29ae6c8367af\"}",
  "threadName": "MainThread"
}

  1. In the Logtail Configuration step of the wizard, click Other Global Configurations. In the Other Global Configurations section, turn on Advanced Parameters. In the Advanced Parameters field, enter { "EnableTimestampNanosecond": true}.

    For more information about how to collect logs, see Collect text logs from servers.

    image

  2. Add the Expand JSON Field plug-in. For more information, see Expand JSON fields.

    Note

    The sample raw low is in the single-level JSON format. When you expand JSON data in this format, you can use "" to connect expanded keys. When you expand JSON data in the multi-level JSON format, you can use "_" to connect expanded keys.

    image

  3. Add the Extract Log Time (strptime Time Format) plug-in. For more information, see Time format supported by strptime.

    You must configure a time format for the Extract Log Time (strptime Time Format) plug-in. For example, if the time field that is parsed from the raw log is "asctime": "2022-04-29 21:37:40,251", you must set the time format to %Y-%m-%d %H:%M:%S,%f. %f indicates the fractional part of the second. The highest precision that is supported by the Extract Log Time (strptime Time Format) plug-in is the nanosecond. You must configure a time format that is consistent with the time format of the raw log. For more information, see Time formats.

    image

  4. View the parsing results in the Simple Log Service console. After you configure indexes, you can view the parsed timestamp that is accurate to the nanosecond. For more information, see Create indexes.

    image

Sample raw log:

{
  "asctime": "2023-10-25 23:51:10,199999999",
  "filename": "generate_data.py",
  "levelname": "INFO",
  "lineno": 51,
  "module": "generate_data",
  "message": "{\"no\": 14, \"inner_loop\": 166, \"loop\": 27451, \"uuid\": \"9be98c29-22c7-40a1-b7ed-29ae6c8367af\"}",
  "threadName": "MainThread"
}

  1. In the Logtail Configuration step of the wizard, click Other Global Configurations. In the Other Global Configurations section, turn on Advanced Parameters. In the Advanced Parameters field, enter { "EnableTimestampNanosecond": true}.

    For more information about how to collect logs, see Collect text logs from servers.

    image

  2. Add the Expand JSON Field plug-in. For more information, see Expand JSON fields.

    Note

    The sample raw low is in the single-level JSON format. When you expand JSON data in this format, you can use "" to connect expanded keys. When you expand JSON data in the multi-level JSON format, you can use "_" to connect expanded keys.

    image

  3. Add the Extract Log Time (Go Time Format) plug-in. For more information, see Time format supported by Go.

    You must configure a time format for the Extract Log Time (Go Time Format) plug-in based on the time format specification of Go. Go uses a specific layout reference to represent a time format instead of the common %Y-%m-%d %H:%M:%S format. The reference time in Go is 2006-01-02 15:04:05 -0700 MST. For example, the time value 2023-10-25 01:36:10,199999999 is parsed based on the 2006-01-02 15:04:05,999999999 format.

    The following code provides the example layouts of time formats in Go:

    const (
    Layout      = "01/02 03:04:05PM '06 -0700" // The reference time, in numerical order.
    ANSIC       = "Mon Jan _2 15:04:05 2006"
    UnixDate    = "Mon Jan _2 15:04:05 MST 2006"
    RubyDate    = "Mon Jan 02 15:04:05 -0700 2006"
    RFC822      = "02 Jan 06 15:04 MST"
    RFC822Z     = "02 Jan 06 15:04 -0700" // RFC822 with numeric zone
    RFC850      = "Monday, 02-Jan-06 15:04:05 MST"
    RFC1123     = "Mon, 02 Jan 2006 15:04:05 MST"
    RFC1123Z    = "Mon, 02 Jan 2006 15:04:05 -0700" // RFC1123 with numeric zone
    RFC3339     = "2006-01-02T15:04:05Z07:00"
    RFC3339Nano = "2006-01-02T15:04:05.999999999Z07:00"
    Kitchen     = "3:04PM"
    // Handy time stamps.
    Stamp      = "Jan _2 15:04:05"
    StampMilli = "Jan _2 15:04:05.000"
    StampMicro = "Jan _2 15:04:05.000000"
    StampNano  = "Jan _2 15:04:05.000000000"
)

    image

  4. View the parsing results in the Simple Log Service console. After you configure indexes, you can view the parsed timestamp that is accurate to the nanosecond. For more information, see Create indexes.

    image

FAQ

What do I do if timestamps that are accurate to the nanosecond cannot be parsed when I collect logs?

After a Logtail configuration is created and applied, high-precision timestamps fail to be parsed.

image

  • Cause

    The used plug-in supports %f, but the configured time format does not match the log time in raw logs.

  • Solution

    • Log on to your server on which Logtail is installed, view collected logs, and then identify logs related to the STRPTIME_PARSE_ALARM error. 

      tail -f /usr/local/ilogtail/logtail_plugin.LOG
2023-10-26 00:30:39 [WRN] [strptime.go:164] [processLog] [##1.0##xxxx,xxx]    AlarmType:STRPTIME_PARSE_ALARM    strptime(2023-10-26 00:30:10,199999999, %Y-%m-%d %H:%M:%S %f) failed: 0001-01-01 00:00:00 +0000 UTC, <nil>

    • Change the time format for the plug-in.

      The log time of the raw log that is provided is 2023-10-26 00:30:10,199999999. The delimiter between the second and millisecond is a comma (,). However, the configured time format for parsing is %Y-%m-%d %H:%M:%S %f. In this format, the delimiter between the second and millisecond is a space.

      Change the time format in your Logtail configuration to %Y-%m-%d %H:%M:%S,%f.

References

Previous: Use SPL statements to collect text logsNext: Other collection methods
  • On this page (1, T)
  • Scenarios
  • Prerequisites
  • Collection from files
  • FAQ
  • References
Feedback
phone Contact Us